Exploring Known Unknowns in the AI Regulatory Landscape

A new analysis identifies critical gaps in AI governance, including the lack of standardized metrics for regulatory adequacy and efficacy, as existing indices like OECD.AI and Stanford HAI measure only the quantity of laws and policies rather than their effectiveness. The research highlights regulatory lag as a key unknown variable, with no agreed-upon definition of what constitutes adequate AI governance.

The AI regulatory space is a rapidly developing and maturing one, and while a lot of work has recently been done to draft new bills and establish new frameworks, there’s still a ton we don’t know about the space. This post aims to quantify and qualify some of the “known unknowns” about the space, including what I believe to be one of the most consequential unknown variables: The lag time from when new AI capabilities are announced to when regulatory bodies acknowledge or pass legislation targeted at them. My research into this topic covered six different categories: 1 Regulatory adequacy 2 Regulatory causality 3 Soft law effectiveness 4 Incremental vs novel capabilities 5 Preceding disasters 6 Regulatory lag 7 Miscellaneous Measurement Gaps As far as I can tell, there’s no definition of “regulatory adequacy”. That is, there’s no agreed on definition for what “adequate” governance would actually look like. Granted, it’s quite hard to know what “adequate” looks like in governance as you’re generally trying to optimize for something not happening. But the lack of any real standard does have costs as it makes claims about “widening gaps” between capability development and governance rather fuzzy. No standardized metrics exist for determining if a framework or law actually improves the public trust, increases model safety, or reduces AI-related harms. And without legible standards for what counts as success it’s difficult to work backwards and determine what types of advocacy or legislation campaigns are actually effective at achieving their goals. Most databases or indices of AI governance such as OECD.AI or Stanford HAI measure just the quantity of governance, like the number of laws passed or how many strategies/frameworks have been published. For instance, the OECD.AI Index https://www.oecd.org/content/dam/oecd/en/publications/reports/2026/02/oecd-ai-observatory-index 8f5fa0f2/32c01014-en.pdf combines 28 indicators that track OECD’s AI principles https://oecd.ai/en/ai-principles , but these measure only policy implementation and capacity. They don’t track how effective policies are at achieving their goals. Similarly, https://www.oecd.org/content/dam/oecd/en/publications/reports/2026/02/oecd-ai-observatory-index 8f5fa0f2/32c01014-en.pdf The Stanford HAI AI Index https://hai.stanford.edu/ai-index/2026-ai-index-report is likely the gold standard for legislative activity tracking, with longitudinal data covering legislative proceedings for 75 different countries, U.S. state and federal legislation, and global AI safety institute proliferation. Ultimately though it tracks legislative activity, enforcement actions, and compliance costs, essentially counting the volume of governance but not quality. Meanwhile, Georgetown CSET’s AGORA https://cset.georgetown.edu/article/mapping-the-ai-governance-landscape/ catalogs more than 950 AI governance documents. https://agentscout.live/policy/ai-regulation/news/20260319-stanford-ai-index-report-2026-regulation/ Finally, the Oxford Insights Government AI Readiness Index https://oxfordinsights.com/ai-readiness/government-ai-readiness-index-2025/ covers 195 governments over roughly 40 different indicators, but it measures prerequisites for governance and not actual outcomes. In the regulatory theory literature, there are some approximations, suggested techniques for assessing adequacy and efficacy. Cary Coglianese suggests https://papers.ssrn.com/sol3/papers.cfm?abstract id=4840368 using a relevant framework that tracks three regulatory dimensions: inputs/activities rules adopted, resources deployed , behaviors compliance by regulated entities , and outcomes changes in the underlying problem . He argues that the best indicators of regulatory efficacy will “almost always be those that measure the ultimate problem the regulation or process was intended to solve.” For governance in general, the World Bank’s Worldwide Governance Indicators https://www.worldbank.org/en/publication/worldwide-governance-indicators does have a “Regulatory Quality” dimension that might be worth adapting, but even it captures perceptions of government capacity and not outcomes. https://en.wikipedia.org/wiki/Worldwide Governance Indicators Are we starting to notice a theme? There’s some intuitive causes for the field’s failure to define adequacy. The first is just how nascent the field is. AI governance is essentially less than a decade old, and most frameworks simply haven’t been around long enough for outcome evaluation. There’s also a problem of competing values. Different jurisdictions define “adequate” differently based on what they value, so while the EU prioritizes rights protection, the US emphasizes innovation, and China is focused primarily on state control. Of course, there’s measurements problems as well. The causal chain that runs regulation to behavior change to outcome improvement is genuinely difficult to measure. Finally, there’s a political economy problem. In order to measure whether regulation works, you also need to measure whether regulators are doing their jobs. This isn’t an unsolvable problem, you could come up with some quantitative metric that would track regulator activity and effectiveness, like how in the finance regulation context the Basel accords define capital adequacy. The Basel Accords work by translating abstract goals like “banks should be safe” into hard numbers that are auditable. No such framework has been proposed for AI thus far. But you might define thresholds for institutional function like investigation velocity, enforcement ratio, guidance issues lag, staffing adequacy, incident rate per user-exposure-hour, severity-weighted harm index, and similar. I consider this to be one of the most important gaps to fill in the regulatory landscape, and a lot more research is required to move from counting “governance inputs” to measuring “governance outcomes”. While we do know that the number of laws and governance frameworks have surged in recent years, we don’t know what the actual causal mechanism is. Based on my research I can make some educated guesses. The driving force behind new regulation for AI is most likely some combination of high-salience technological breakthroughs combined with a surge in public attention and/or historical patterns of crisis-response. We generally see that novel capabilities drive media coverage, and media coverage does tend to correlate with increased regulation. While most people have an intuition that it’s actually alarmist news that drives regulation, it could be that any coverage leads to more regulation. I analyzed over a decade of global media coverage https://criticalreason.substack.com/p/who-sets-the-agenda-for-ai-regulation for two transformative technologies: artificial intelligence and nuclear energy. I made use of Technical milestones like the announcement of AlphaFold or the release of ChatGPT function at catalysts that drive attention, and with it, regulation. My own investigation into the distribution of regulatory events over time found that the number of regulatory events of any kind rose from 0.15 per month to 1.00 per month following the launch of ChatGPT. The EU AI Act is probably the cleanest example of new products forcing legislative revision. While the original proposal April 2021 didn’t have provisions for general-purpose AI models, https://arxiv.org/html/2503.05787v2 ChatGPT’s appearance during negotiations forced co-legislators https://arxiv.org/html/2503.05787v2 to draft an entirely new chapter. The Center for Democracy and Technology noted https://cdt.org/insights/eu-ai-act-brief-pt-5-general-purpose-ai-models/ it was “after the surge in popularity of ChatGPT… that the co-legislators drafted a dedicated chapter.” Regulatory responses to AI capability advances were minimal or nonexistent before the Gen AI era. The early breakthroughs like AlexNet breakthrough 2012 and AlphaGo 2016 generated no direct regulatory responses that I’m aware of . Only GPT-2’s staged https://www.technologyreview.com/2019/08/29/133218/openai-released-its-fake-news-ai-gpt-2/ release https://openai.com/index/gpt-2-6-month-follow-up/ in 2019 is a notable governance action, and note that it was industry-led self-governance rather than government regulation. There’s also a geopolitical angle to this whole thing. Regulatory activity can be pushed by a desire to respond to the efforts of geopolitical rivals or strengthen national leadership. Part of the rationale for the Biden Executive Order was to position the US ahead of Chinese and EU regulatory efforts. Once a desire to create legislation is present, the speed of a government’s regulatory response is influenced by how effectively it can repurpose existing laws/legal frameworks. It’s notable that Italy responded https://www.privacylaws.com/news/italy-s-garante-imposes-and-then-withdraws-a-ban-on-chatgpt/ to the unveiling of ChatGPT in around 120 days because it leveraged powers https://www.sciencedirect.com/science/article/pii/S0740624X24000741 that existed under the GDPR, while the EU AI Act took years to finalize. Compare that to: China’s proposed generative AI rules that came roughly 170 days https://www.beneschlaw.com/insight/china-finalizes-new-ai-rules-as-the-global-race-to-regulate-ai-intensifies/ later and were enacted within 258 days, https://www.beneschlaw.com/resources/china-finalizes-new-ai-rules-as-the-global-race-to-regulate-ai-intensifies.html the Biden Executive Order followed after 334 days https://www.sidley.com/en/insights/newsupdates/2023/11/president-biden-signs-sweeping-artificial-intelligence-executive-order , and the EU AI Act that was finalized after 373 days https://artificialintelligenceact.eu/implementation-timeline/ though it had been under development since 2021 . Italy’s response was the fastest because it deployed GDPR powers, not new AI legislation. Meanwhile, China’s iterative approach was built on regulation of prior algorithms and deep synthesis and the U.S. used Defense Production Act authority. Existing legal infrastructure determines response speed. In order that a regulation is effective and not just symbolic, it typically requires independence from both promotional mandates and the industry it regulates. We can look at incidents like the Fukushima disaster and other catastrophic failures in history that were often caused by regulatory capture, where the body in charge of safety was the same one promoting the technology. Soft law is essentially codes of conduct and voluntary guidelines rather than legal frameworks enforced by liability and other punitive measures, and its voluntary nature cuts against independence as enforcement is left to the industry itself. The primary advocate for soft law https://lsi.asulaw.org/softlaw/wp-content/uploads/sites/7/2021/04/01-18-gets-through-soft-law-special-issue-intro.pdf in AI technology governance is Gary Marchant at ASU and he has built out a fairly comprehensive directory of AI soft law. Alongside Gutierrez, he identified https://papers.ssrn.com/sol3/papers.cfm?abstract id=3855171 634 AI governance programs globally, and it’s notable that around 90% of them were created between 2017–2019. Of these soft law programs, government institutions created 36%, which is actually more than industry created alone. There are typically two categories of rebuttal to Marchant’s position. First, the institutional capture argument argues that voluntary commitments like these often just serve to cover firms while they go about business as usual. Second, the critique that soft law actually forestalls the passage of binding regulation ex. The VW emissions and Boeing 737 MAX cases all demonstrated failures of self-regulation that ultimately required regulatory intervention . This raises the question: "How effective are soft law arrangements, in reality?" One does wonder how effective these soft law schemes are without enforcement mechanisms, which most of them lack. Marchant’s own data reveals that in terms of enforcement “only 30% of programs publicly mention an enforcement or implementation mechanisms”. In 2024 Flankova et al. released a meta-analysis that rounded up 103 studies covering a combined 23 VEPs Voluntary Environmental Programs . It finds that in certain conditions voluntary programs actually can improve outcomes, provided there’s quality standards and clear reporting mechanisms. High quality VEPs will have clear objectives, independent monitoring, and meaningful sanctions. Programs lacking these features won’t have success. We know that there’s some meaningful blind spots when it comes to corporate assessments of risk. An analysis of more than 9400 papers https://arxiv.org/pdf/2505.00174 regarding generative AI found that just 4% of papers from corporate sources analyzed risks like misinformation, persuasion, disclosures, medical and financial contexts, or other core safety related topics. Furthermore, most corporate AI research focuses on AI in pre-deployment contexts, with relatively little attention paid to models post-deployment. The quality and stringency of the program really matters. Programs without stringent requirements and monitoring are joined to greenwash firms, and firms exploit information asymmetries to join these lenient programs. This tracks with other findings that non-binding NGO pressure along doesn’t lead to reliable changes in corporate behavior. 2 https://www.lesswrong.com/feed.xml fnv9ebno3q2d There’s some evidence https://dl.acm.org/doi/10.1145/3236024.3264833 that suggests simply asking people to abide by a Code of Ethics doesn’t work. McNamara et al. 2018 ran a randomized experiment with 63 students and 105 professional developers and found that telling them to consider the ACM Code of Ethics had “no observed effect” compared to a control group. https://neverworkintheory.org/2022/03/02/ethics-in-decision-making.html The sample size here is just too small to really draw too much from it, although I guess it’s consistent with voluntary agreements having a small effect that this study was too under-powered to see. I’d be willing to buy that a one time exposure to a code doesn’t meaningfully shift behavior by itself, and if we want effects it probably has to be combined with the kinds of actual standards and accountability mechanisms described above. Even Marchant acknowledges that traditional soft law methods are quite often “ too vague and general to have any real impact https://cdn.vanderbilt.edu/vu-wordpress-0/wp-content/uploads/sites/278/2020/12/19115820/Governance-of-Emerging-Technologies-as-a-Wicked-Problem.pdf “, and is advocating instead for what he calls “ Soft Law 2.0 https://scholarship.law.umn.edu/cgi/viewcontent.cgi?article=1543&context=mjlst “. This is basically soft law combined with various enforcement mechanisms to try and make it effective, with internal levers like dedicated budgetary allocations, mandatory employee training, and internal auditing committees combined with external levers like third-party verification and public rankings. This reads like an admission that traditional soft law schemes don’t work. It does seem like under certain conditions, soft law can work. If there’s a credible background threat of regulation such as the gaming industry’s ESRB, that can work fairly well. Also consider access to valued resources gated by compliance like stem cell research guidelines enforced via journal publication requirements , or technical interoperability leading to self-enforcing incentives IETF/W3C internet standards . The Marchant “Soft Law 2.0” toolbox is roughly based on the conditions found in these successes, but it remains a proposal, untested at the time of this writing. What remains unknown is the degree to which AI-specific soft laws have actually produced behavioral changes in the companies and developers they claim to affect. We can make some reasonable guesses at how effective they will be. Meta-analyses done on soft law in other industries find that these voluntary programs can work, but only when the objectives are clear, there’s independent monitoring, and the threat of meaningful sanctions exists. And based on the figures above, it’s thought that about 70% of current AI soft law programs don’t meet the conditions. There’s a few asymmetries that make creating effective regulation harder. Effective regulation is dependent on technical expertise to inform regulators, and a major dependency for “regulatory adequacy” is addressing the knowledge gap that exists between AI development companies and regulatory bodies. I don’t believe that the governance literature currently, explicitly distinguishes between incremental capability improvements and net-new capability types. I couldn’t find any documents explicitly using this separation as a consideration framework for regulatory design. Which is concerning, as the evidence suggests the two types of capability changes create different governance challenges. You can see this in the case of the EU AI Act https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32024R1689 , where legislators had to work overtime to respond to the arrival of ChatGPT on the scene. The result was a two-tiered system, one that had basic transparency obligations for all GPAI models and a series of additional requirements for models that exceeded a 10²⁵ FLOPs training compute threshold. The July 2025 Guidelines would then further distinguish between substantial modifications https://artificialintelligenceact.eu/modifying-ai-under-the-eu-ai-act/ that made changes to a high-risk AI system, and lesser modifications that were regulatory continuations of the same model. Agentic AI is the current frontier of capability governance challenges. Many previous governance frameworks are focused on AIs “creating content”, but this moves the relevant consideration to “accomplishing complex tasks autonomously”, also undercutting the assumption of human-in-the-loop oversight most existing frameworks have. Some frameworks are emerging, such as the OWASP Foundation identifying https://my.f5.com/manage/s/article/K000149908 “Excessive Agency” as a distinct vulnerability category, but these remain largely aspirational. You can also see this dynamic at play in the pharmaceutical regulatory framework, where small-molecule drugs go through the well-established New Drug Application https://www.fda.gov/drugs/types-applications/new-drug-application-nda pathway, where generic equivalents only need to show bioequivalence. The emergence of Biologics necessitated the creation of a different drug class along with a new licensing application process BLA vs. NDA , a separate FDA center CDER , and distinct rules for handling of biosimilars. The pattern is pretty familiar by this point. Incremental improvements in known categories of technology are handled through established pathways, but genuinely novel modalities require the painstaking process of creating entirely new regulatory categories, evaluation frameworks and institutional structures. This gets even more complicated when you talk about the possibility of emergent capabilities. Wei et al. 2022 https://arxiv.org/abs/2206.07682 defined them as capabilities “not present in smaller models but present in larger models” that “cannot be predicted simply by extrapolating.” The implication is that incremental scaling could result in new, unforeseen capabilities, which would blur the very boundaries needed to make this distinction. This is controversial though as Schaeffer et al. 2023 https://arxiv.org/abs/2304.15004 argued this as largely a measurement artifact. CSET Georgetown attempts https://cset.georgetown.edu/article/emergent-abilities-in-large-language-models-an-explainer/ a pragmatic resolution, arguing that whether or not emergence is “real”, what we care about for governance is capability predictability. In this sense, the EU AI Act’s compute threshold is a bet on where novel capabilities may arise. …And so currently there’s no systematic way to reliably distinguish between incremental improvements like the common scaling of existing models vs the establishment of new capability types like agentic AI systems. The failure to distinguish between them means governance frameworks often have to scramble to address new capabilities that emerge during the writing process for new regulations. Better delineation between capability types and improvements could help regulators respond quicker and draft anticipatory regulation. 3 https://www.lesswrong.com/feed.xml fnsoo8hrhpxcm Most regulation occurs because some sort of crisis happens, some disaster or near disaster that forces society to pay attention. This is the crisis-response pattern of regulation. In most other high-risk industries such as pharmaceuticals, effective regulation was only catalyzed by a major disaster, so the question is if AI can be the exception to this trend. There are some rare examples of industries or disciplines essentially self-regulating, when faced with technologies that could genuinely be devastating in the right hands. While the 1975 Asilomar Conference is sometimes seen as a template for proactive scientific self-governance, it’s not clear it can be replicated in an AI industry due to different dynamics. Several unique circumstances made Asilomar possible, which would probably not recur today. Katja Grace’s deep dive https://intelligence.org/files/TheAsilomarConference.pdf on the Asilomar Conference covers this all in more detail, but the short version is that some combination of the geopolitical environment along with the threat of legal liability and the knowledge that Congress was already actively considering legislation made self-governing seem attractive. Matthew Cobb https://www.nature.com/articles/d41586-025-00516-2 also called out that there were two considerations that didn’t make it into the conversation: commercialization and bioweapons. https://www.nature.com/articles/d41586-025-00516-2 The Soviet Union’s massive bioweapons program did use recombinant DNA techniques, which was something Asilomar explicitly excluded from discussion. Had either topic surfaced the history of the event might have been pretty different. What does seem clear is that the environment in which Asilomar happened is radically different from the environment AI is being developed in. The AI industry is globally distributed and driven by massive private commercial interests, as opposed to the small group of academics that made up the Asilomar Conference. The better reference for policy wonks and regulators looking to craft regulation before a disaster might be the aviation industry. The first federal regulation happened in 1926 https://www.faa.gov/about/history/brief history with the Air Commerce Act, and somewhat unusually the aviation industry itself lobbied for federal regulation. It was believed “the airplane could not reach its full commercial potential without federal action to improve and maintain safety standards”. Specifically, President Calvin Coolidge appointed a board to study aviation safety and the role the federal government had to play, at the best of aviation industry leaders, which led to the passing of the Air Commerce Act later on. The combined FAA + NTSB + ICAO system that we have today is widely regarded as the most successful safety regulatory regime in technology history, responsible for reducing the commercial aviation fatality rate by orders of magnitude. In fact, the CSIS 2023 explicitly recommends https://www.csis.org/analysis/four-lessons-historical-tech-regulation-aid-ai-policymaking an ASIAS-like Aviation Safety Information Analysis and Sharing system for AI incident reporting. There’s some kind of divergence between AI governance and AI capabilities, but the exact form and magnitude of the divergence isn’t clear. Obviously AI capabilities have accelerated dramatically over the past few years, with huge increases on benchmark performance, to the point some people are wondering if benchmarks are dead https://www.technologyreview.com/2026/03/31/1134833/ai-benchmarks-are-broken-heres-what-we-need-instead/ . And in terms of adoption, adoption among U.S. businesses rose https://www.weforum.org/stories/2025/10/this-month-in-ai-deployment-accelerates-but-is-regulation-keeping-up/ from 5.2% in January 2023 to 43.8% by September 2025. Governing bodies have taken notice and are responding, but not fast enough to prevent a gap from emerging. The number of national AI safety institutes went from zero to 11+ in under two years https://hai.stanford.edu/ai-index/2025-ai-index-report/policy-and-governance . Meanwhile, the number of AI-related regulations in the US went from 11 in 2021 to almost 60 in 2024. https://hai.stanford.edu/ai-index/2025-ai-index-report/policy-and-governance Generally though, we expect that governing bodies will struggle to keep up with the pace of AI innovation, especially if traditional governance schemes are relied on. The Chatham House 2026 https://www.chathamhouse.org/2026/03/breaking-deadlock-ai-governance/02-barriers-global-ai-governance report predicts that “regulatory divergence will intensify through 2027, with the EU-US gap widening.” https://www.chathamhouse.org/2026/03/breaking-deadlock-ai-governance/02-barriers-global-ai-governance Meanwhile, the UNDP predicts https://www.eco-business.com/press-releases/ai-risks-spark-new-era-of-divergence-as-development-gaps-widen-undp-report/ that asymmetries in governance capacity might widen inequality between countries. The four major AI governance regimes -- The US, the UK, the EU, and China -- are adopting different governance approaches commensurate with their value, and the differences between these schemas are likely widening, not converging. There’s work to be done standardizing dimensions to measure governance capability. There are substantial gaps in the literature when it comes to geography and specific industrial sectors. Most research and data regarding regulation and governance focuses on the Global North, leaving thin data on capacity and activity in the Global South. According to the Stanford AI Index 2026, 2024 saw many countries, primarily emerging economies across-Sarah Africa, the Middle East, and Central Asia actively develop regulatory strategies, but most of these appear to be non-binding, and infrastructure to support these agreements isn’t keeping pace with the rate these strategies are being developed. Africa is the clearest documented gap https://hai.stanford.edu/ai-index/2026-ai-index-report/policy-and-governance . During March of 2024, only seven African countries had drafted national AI strategies, and none of those strategies included comprehensive AI regulations. This lack of infrastructure capacity likely explains some of the governance gap. The structural bias in the literature is likely due https://arxiv.org/pdf/2601.17191 , at least in part, to the Brussels Effect, which is the assumption that due to the EU AI Act’s regulatory dominance its standards will diffuse internationally. In other words, it’s assumed that the completeness of the EU standards will make other countries conform to these standards. Yet this establishes a feedback loop where Global North frameworks get studies because they exist while frameworks in the Global South don’t get studies due to the fact that they’re sparse. This actually continues their thinness in the literature. Much of the regulatory research also tends to aggregate AI regulation data across all sectors. This could obscure relevant differences in how AI unfolds across specific fields like healthcare, biosecurity, criminal justice, and energy. Healthcare is the most studied https://www.medrxiv.org/content/10.1101/2025.01.25.25321061v1.full.pdf sector by far, having a fair amount of dedicated literature and binding regulatory activity. The EU’s AI Act March 2024 and Council of Europe’s Framework Convention on AI and Human Rights, Democracy and the Rule of Law September 2024 both have provisions covering AI and health services. Meanwhile, the US has the FDA’s Predetermined Change Control Plan guidance December 2024 . AI regulation in healthcare is genuinely more developed than other sectors , but many other sector aren’t as developed when it comes to coverage. Compare other industries such as criminal justice, where despite AI deployment being common place for tasks like recidivism prediction and predictive policing, binding regulation has lagged far behind the healthcare industry. While the EU AI Act classifies https://journals.sagepub.com/doi/10.1177/20322844251338627 remote biometric identification and recidivism prediction tools as high-risk applications of AI, there’s no equivalent federally binding instrument in the US. Probably the most consequential regulatory gap is the domain of biosecurity. Proteins generated by AI could be functionally equivalent to known hazardous proteins, like toxins, but undetectable by current bio-security methods. Homolog-based screening is the primary method of potentially dangerous synthetic DNA orders, done by comparing the ordered sequences against databases of known toxins and pathogens. However, AI models could lower the barrier https://pmc.ncbi.nlm.nih.gov/articles/PMC13079691/ to discovery and procurement of similarly hazardous proteins not in these databases. The Paraphrase Project confirmed https://biosecurityhandbook.com/ai-biosecurity/ai-pathogen-design.html that this vulnerability existed. By using a tool called EvoDiff the researchers were able to generate thousands of variants of known toxins that went undetected by the major commercial screening methods. The detection rate was as low as 23%, although after collaborative patching, detection did improve up to 97%. A 3% gap persists. There’s been almost no binding regulatory responses addressing this issue. In 2024, there was the OSTP Nucleic Acid Synthesis Screening Framework, which set a deadline for the proposals of regulatory frameworks to address new capabilities in DNA printing. However, the deadline has passed https://www.armscontrol.org/blog/2025-11-24/regulatory-gaps-benchtop-nucleic-acid-synthesis-create-biosecurity-vulnerabilities and no new frameworks have been announced. While the July 2025 America’s AI Action PLan mentioned DNA synthesis as a consideration for regulation, no new binding regulations have been issued. The one notable exception to the pattern of no regulation around biosecurity is the EU AI Act’s dual-use amendment. This amendment did include https://www.ibanet.org/dual-use-biological-research-law AI-driven gene synthesis platforms as an item for control, though it doesn’t specifically target protein structure prediction tools like RFdiffusion or AlphaFold. The Energy sector appears particularly sparsely covered in terms of regulation. I find almost no peer-reviewed publications that actually discussed AI regulatory strategies in the energy domain, which itself seems notable. As previously mentioned, corporate AI research is biased towards pre-deployment areas. This exacerbates the sector aggregation issue described above. As safety research is biased towards pre-deployment and regulatory counts pool sectors together, there’s actually little evidence on what regulation affects real-world deployments across these different sectors. The Brookings Institute argues https://www.brookings.edu/articles/a-comprehensive-and-distributed-approach-to-ai-regulation/ for regulatory approaches that are comprehensive but also enable granular rule creation for specific applications, simply because the proliferation of AI in different socioeconomic contexts creates unique challenges in those specific contexts . Quantitative estimates of “regulatory lag”, the time it takes between a new AI capability being established and the creation of laws that regulate that capability, are pretty scarce. The best available data is basically just extrapolation from mentions of AI in regulatory contexts. The Stanford HAI AI index https://hai.stanford.edu/ai-index/2025-ai-index-report/policy-and-governance tracks legislation across 75 different countries and finds that mentions of AI in regulatory contexts and legislative proceedings have multiplied ninefold since 2016 while federal regulations have doubled, going from 25 in 2023 to 59 in 2024. This tells us that regulators are paying more attention to AI but we don’t know how long it takes for them to take notice or act on new AI developments. In my research I found that there doesn’t seem to be any formal method of quantifying “regulatory lag”. This is problematic for various reasons, but the main one being that it reduces our ability to estimate how quickly society will adapt to new AI technologies. Many things are downstream from this estimation, including determining when regulatory rules will become outdated and need updating, how to speed up regulatory changes, and how many improvement cycles will occur between rounds of regulation. For this reason, I attempted to establish https://criticalreason.substack.com/p/whats-the-regulatory-gap-for-ai a framework that quantifies two different types of regulatory lag: The lag between recognition of a new AI capability and the creation of binding laws meant to deal with that capability. I did this by defining a number of specific AI capability announcements and milestones, searching for formal recognition of capabilities/binding regulations, then calculating the differences between the regulatory related events and the announcements. I investigated how the lag changed across different AI subdomains and different regulatory jurisdictions -- The US, the UK, EU, and China. I found that the median expected lag between a new AI capability’s announcement and the creation of binding laws varies substantially across regulatory jurisdictions. Based entirely on data from 2017 to the end of 2025, the median total lag for regulation is 10.2 months for China, while the EU’s lower bound is 32.1 months and the upper bound 62.2 months. At the moment of writing, many laws haven’t yet taken effect, so the lag data was subject to have “right-censoring”. In greater detail: Governments often recognize capabilities rather quickly, but the transition to binding law is the main bottleneck: These modern AI timelines are rather compressed when you compare them to historical technological precedents. Mature regulation for these fields took decades, if not years: However, we should note that the lag time often depends on the exact capabilities in question. Autonomous vehicles are a subdomain of AI, and for this milestone specifically, the lag was relatively short. China reached binding regulation in 9 and half months and the USA in 24-months/2-years. Meanwhile, biosecurity saw the longest lag. The analysis found no binding regulations specifically addressing biosecurity-adjacent AI, like AlphaFold 2, had taken effect in any jurisdiction by the end of 2025. 4 https://www.lesswrong.com/feed.xml fnkcvufp9lcsd Why exactly is the timeline so compressed compared to other technologies? Several explanations present themselves: Still, no peer-reviewed empirical study https://www.mdpi.com/2624-800X/5/4/101 has compared AI’s regulatory timeline to historical precedents using a consistent methodology. I recommend further exploration. Anticipatory Legislation vs Reactive Legislation It seems meaningful to distinguish between two types of legislation. Reactive legislation merely responds to capabilities or crises, while anticipatory legislation attempts to create the governance frameworks to control these things before capabilities have fully manifested. In the “T0/T1/T2” framework described above, reactive regulation displays a positive lag T1 happens after T0 . Meanwhile, anticipatory regulation results in a negative recognition lag, meaning the government created a policy document before the capability was demonstrated in public. It seems that reactive legislation is almost always catalyzed by disaster or high-salience shocks. Consider events like the sulfanilamide disaster for pharmaceuticals or the launch of ChatGPT for AI. In contrast, anticipatory regulation leverages regulatory foresight, with regulatory officials aiming to handle potential developments. Anticipatory efforts must reckon with the “ Collingridge Dilemma https://en.wikipedia.org/wiki/Collingridge dilemma “ technologies are easy to influence when young but their impacts hard to foresee, when impacts become clear the technology is often too entrenched to easily influence . Despite the difficulty inherent in the Collingridge Dilemma, we are seeing more proposed or implemented anticipatory frameworks: Certain mechanisms may aid governments in “getting ahead” of capability development, in the sense of anticipating how technology is likely to evolve and operationalize: Strategies to Speed Up Regulation The regulatory process and government movement in general is notoriously slow. However, there are apparently several mechanisms that can reduce the time between a capability’s emergence and a binding response, outside of living document approaches and using existing legal infrastructure: Again though, the success of all of this depends on regulatory independence. Many failures in technology governance can be traced back to a lack of independence from the body the regulation applies to. Ensuring the regulator remains free of influence from both industry and promotional mandates is the most reliable predictor of long-term, effective governance. Other gaps in the landscape include the following: What creates new regulatory bodies? A few different factors seem to predict the creation of new regulatory bodies or frameworks. Agenda-setting is cited as the primary mechanism industry uses to shape policy according to Rand corporation research https://www.rand.org/pubs/research briefs/RBA3679-1.html . Geopolitical competition certainly plays a role as well, with the Biden EO aiming https://www.sidley.com/en/insights/newsupdates/2023/11/president-biden-signs-sweeping-artificial-intelligence-executive-order to place US leadership ahead of both EU and Chinese regulatory endeavors. While academic and civil society advocacy can create pressur https://www.caidp.org/cases/openai/ e, it seems they rarely trigger action alone. https://www.caidp.org/cases/openai/ Capability thresholds appear necessary but not sufficient for the creation of regulatory frameworks. While thresholds like the EU AI Act’s 10²⁵ FLOPs https://artificialintelligenceact.eu/high-level-summary/ , exist in regulatory frameworks, they likely weren’t the proximate trigger for those frameworks’ creation. What bridges the gap between adoption and governance? Corporate governance maturity is typically assessed with survey data from agencies like McKinsey, Deloitte, PwC, IAPP, etc. Regardless of the source, the finding is generally consistent, adoption outpaces governance by a wide margin. There’s strong convergent validity. More specifically, McKinsey’s 2026 AI Trust Maturity Survey https://www.mckinsey.com/capabilities/tech-and-ai/our-insights/tech-forward/state-of-ai-trust-in-2026-shifting-to-the-agentic-era introduced a 4-point maturity scale. There’s an average score of 2.3/4.0 across the industry, with only approximately 30% of organizations reaching level 3 or higher. https://www.mckinsey.com/capabilities/tech-and-ai/our-insights/tech-forward/state-of-ai-trust-in-2026-shifting-to-the-agentic-era It isn’t clear what tactics decrease the adoption and governance gap, except that organizations which invest $25 million or more in responsible AI consistently report higher maturity along with an EBIT impact above 5%. What about agenda-setting in the sense of industry actions, or special interest groups? If the AI industry tries to influence policy by advancing anti-regulation narratives, that’s sometimes called second-level agenda-setting or framing. And while my analysis can’t really speak to this, there is one notable finding in the analysis: positive coverage is actually correlated with more regulation, not less. If industry actors were successfully suppressing regulation through positive framing, you’d expect the opposite pattern. I should point out that there’s a potential self-selection effect here that the analysis doesn’t really deal with; better performing firms might self-select into these kinds of voluntary agreements. The analysis attempts to address this. The effects described are also just aggregate correlation. Despite this, I think it’s likely that firms in stringent voluntary agreements tend to have better outcomes as defined by those standards, though we can’t say why. …Aside from all of this, there’s also a capacity gap between private investment in AI forms and the relatively small budgets allocated to regulation enforcement by organizations like the EU. Increased funding would likely help narrow the knowledge gap by allowing regulatory bodies to attract more knowledgeable talent and define new standards for measuring effectiveness. Note that the “acceleration” you can see in later milestones like GPT-4 is likely a window truncation artifact due to the EU AI Act hitting multiple previously developed capabilities at the same time.